635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

General

Target

1375950da71f03040d4043d9d84ac4c9.exe
Size

2.6MB
MD5

1375950da71f03040d4043d9d84ac4c9
SHA1

5f4baed37f6eb23d1b6efbe58ece75030f701a77
SHA256

635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164
SHA512

900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

Score

8^/10

agilenet persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Word.exeWord.exe

pid process

1664 Word.exe
1184 Word.exe
Loads dropped DLL 1 IoCs

Processes:

1375950da71f03040d4043d9d84ac4c9.exe

pid process

1140 1375950da71f03040d4043d9d84ac4c9.exe

pid	process
1664	Word.exe
1184	Word.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1140-63-0x0000000000A00000-0x0000000000A21000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\Videos\\Word.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Word.exe

description pid process target process

PID 1664 set thread context of 1184 1664 Word.exe Word.exe

description	pid	process	target process
PID 1664 set thread context of 1184	1664	Word.exe	Word.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1184-78-0x0000000000400000-0x0000000000546000-memory.dmp	autoit_exe
behavioral1/memory/1184-79-0x0000000000426BF7-mapping.dmp	autoit_exe
behavioral1/memory/1184-85-0x0000000000400000-0x0000000000546000-memory.dmp	autoit_exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1375950da71f03040d4043d9d84ac4c9.exeWord.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	1375950da71f03040d4043d9d84ac4c9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	1375950da71f03040d4043d9d84ac4c9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	1375950da71f03040d4043d9d84ac4c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Word.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Word.exe

NTFS ADS 1 IoCs

Processes:

Word.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2 Word.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1468 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	Word.exe

pid	process
1468	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1375950da71f03040d4043d9d84ac4c9.exeWord.exeWord.exe

pid	process
1140	1375950da71f03040d4043d9d84ac4c9.exe
1140	1375950da71f03040d4043d9d84ac4c9.exe
1140	1375950da71f03040d4043d9d84ac4c9.exe
1664	Word.exe
1664	Word.exe
1184	Word.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Word.exe

pid process

1184 Word.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1375950da71f03040d4043d9d84ac4c9.exeWord.exe

description pid process

Token: SeDebugPrivilege 1140 1375950da71f03040d4043d9d84ac4c9.exe
Token: SeDebugPrivilege 1664 Word.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1468 WINWORD.EXE
1468 WINWORD.EXE

pid	process
1184	Word.exe

description	pid	process
Token: SeDebugPrivilege	1140	1375950da71f03040d4043d9d84ac4c9.exe
Token: SeDebugPrivilege	1664	Word.exe

pid	process
1468	WINWORD.EXE
1468	WINWORD.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

1375950da71f03040d4043d9d84ac4c9.execmd.exeWord.exeWord.exeWINWORD.EXE

description	pid	process	target process
PID 1140 wrote to memory of 520	1140	1375950da71f03040d4043d9d84ac4c9.exe	cmd.exe
PID 1140 wrote to memory of 520	1140	1375950da71f03040d4043d9d84ac4c9.exe	cmd.exe
PID 1140 wrote to memory of 520	1140	1375950da71f03040d4043d9d84ac4c9.exe	cmd.exe
PID 1140 wrote to memory of 520	1140	1375950da71f03040d4043d9d84ac4c9.exe	cmd.exe
PID 520 wrote to memory of 888	520	cmd.exe	reg.exe
PID 520 wrote to memory of 888	520	cmd.exe	reg.exe
PID 520 wrote to memory of 888	520	cmd.exe	reg.exe
PID 520 wrote to memory of 888	520	cmd.exe	reg.exe
PID 1140 wrote to memory of 1664	1140	1375950da71f03040d4043d9d84ac4c9.exe	Word.exe
PID 1140 wrote to memory of 1664	1140	1375950da71f03040d4043d9d84ac4c9.exe	Word.exe
PID 1140 wrote to memory of 1664	1140	1375950da71f03040d4043d9d84ac4c9.exe	Word.exe
PID 1140 wrote to memory of 1664	1140	1375950da71f03040d4043d9d84ac4c9.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1664 wrote to memory of 1184	1664	Word.exe	Word.exe
PID 1184 wrote to memory of 1468	1184	Word.exe	WINWORD.EXE
PID 1184 wrote to memory of 1468	1184	Word.exe	WINWORD.EXE
PID 1184 wrote to memory of 1468	1184	Word.exe	WINWORD.EXE
PID 1184 wrote to memory of 1468	1184	Word.exe	WINWORD.EXE
PID 1468 wrote to memory of 876	1468	WINWORD.EXE	splwow64.exe
PID 1468 wrote to memory of 876	1468	WINWORD.EXE	splwow64.exe
PID 1468 wrote to memory of 876	1468	WINWORD.EXE	splwow64.exe
PID 1468 wrote to memory of 876	1468	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\1375950da71f03040d4043d9d84ac4c9.exe
"C:\Users\Admin\AppData\Local\Temp\1375950da71f03040d4043d9d84ac4c9.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\Videos\Word.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\Videos\Word.exe"
3⤵
- Adds Run key to start application
PID:888

C:\Users\Admin\Videos\Word.exe
"C:\Users\Admin\Videos\Word.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\Videos\Word.exe
"C:\Users\Admin\Videos\Word.exe"
3⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1184

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\VZORBE.rtf"
4⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
5⤵
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VZORBE.rtf
MD5
d295c8b2da0c5e453d9f1a38ce851f38

SHA1
edecdb3f9570c1903ed9f77d21920825403f3f8c

SHA256
9febf652d086e359850c6db8029301729d35723f4e1bc85279ce53fbc32034f4

SHA512
b439accc80b93f575589e37e1774a9815f43281597245feff21466ffd6107325324fc78bb57d431f1b8322c9e125b66e799eac6c75afe37208ae2cf92b805a07

Download Submit
C:\Users\Admin\Videos\Word.exe
MD5
1375950da71f03040d4043d9d84ac4c9

SHA1
5f4baed37f6eb23d1b6efbe58ece75030f701a77

SHA256
635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

SHA512
900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

Download Submit
C:\Users\Admin\Videos\Word.exe
MD5
1375950da71f03040d4043d9d84ac4c9

SHA1
5f4baed37f6eb23d1b6efbe58ece75030f701a77

SHA256
635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

SHA512
900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

Download Submit
C:\Users\Admin\Videos\Word.exe
MD5
1375950da71f03040d4043d9d84ac4c9

SHA1
5f4baed37f6eb23d1b6efbe58ece75030f701a77

SHA256
635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

SHA512
900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

Download Submit
\Users\Admin\Videos\Word.exe
MD5
1375950da71f03040d4043d9d84ac4c9

SHA1
5f4baed37f6eb23d1b6efbe58ece75030f701a77

SHA256
635764197d1aff622d35d6b6c44a72c8a09b60a55ca465cef868ba428b30b164

SHA512
900a66f69a6392e5e73fc52b5ecd5a50559256c8e55dbdeb8ad5634a41774a9745cd07bdcf12ad4c77c39107748fe3ed11c4b27d2c0b518448949ed4e1606ce6

Download Submit
memory/520-64-0x0000000000000000-mapping.dmp

Download
memory/876-89-0x0000000000000000-mapping.dmp

Download
memory/876-90-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/888-65-0x0000000000000000-mapping.dmp

Download
memory/1140-66-0x0000000004D41000-0x0000000004D42000-memory.dmp

Filesize
4KB

Download
memory/1140-63-0x0000000000A00000-0x0000000000A21000-memory.dmp

Filesize
132KB

Download
memory/1140-59-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1140-61-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1184-81-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/1184-85-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1184-78-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1184-79-0x0000000000426BF7-mapping.dmp

Download
memory/1468-82-0x0000000000000000-mapping.dmp

Download
memory/1468-83-0x000000006C301000-0x000000006C304000-memory.dmp

Filesize
12KB

Download
memory/1468-84-0x0000000069D81000-0x0000000069D83000-memory.dmp

Filesize
8KB

Download
memory/1468-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1468-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1664-77-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1664-76-0x0000000000A50000-0x0000000000A5B000-memory.dmp

Filesize
44KB

Download
memory/1664-73-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1664-71-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1664-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads